Filtering encrypted vs. unencrypted packages?

Filtering encrypted vs. unencrypted packages?

[Hadmut Danisch]

Hi,

I was just playing around with 2.6 IPSec and isakmpd and ran into a problem:

In order to have the packets from the peer IPSEC network accepted,
I need to have an entry like

iptables -A INPUT -s 192.168.19.0/24 -j ACCEPT

where 192.168.19.0 is the network behind the ipsec peer.

But if I do this, the machine would also accept unencrypted packages
from the Internet (except for the fact that packets to RFC1918-Adresses 
are not
routed, but assume that the LAN has official addresses).

I can't even distinguish them by the interface, because from an
iptables point of view, the packages are incoming on the external 
interface,
as if they were coming unencrypted.

How do I treat packets from IPSec and unencrypted plain packets from the
Internet differently with iptables?

regards
Hadmut

Re: Filtering encrypted vs. unencrypted packages?

[Lopsch]

Hadmut Danisch schrieb:
> Hi,
> 
> I was just playing around with 2.6 IPSec and isakmpd and ran into a 
> problem:
> 
> In order to have the packets from the peer IPSEC network accepted,
> I need to have an entry like
> 
> iptables -A INPUT -s 192.168.19.0/24 -j ACCEPT
> 
Try using the the protocol option:

iptables -A INPUT -s 192.168.19.0/24 -p 50 -j ACCEPT
iptables -A INPUT -s 192.168.19.0/24 -p 51 -j ACCEPT

where 50 are esp packets und 51 ah if I understood it right.

Re: Filtering encrypted vs. unencrypted packages?

[Jason Opperisano]

On Sat, 2004-10-30 at 17:46, Hadmut Danisch wrote:
> Hi,
> 
> I was just playing around with 2.6 IPSec and isakmpd and ran into a problem:
> 
> In order to have the packets from the peer IPSEC network accepted,
> I need to have an entry like
> 
> iptables -A INPUT -s 192.168.19.0/24 -j ACCEPT
> 
> where 192.168.19.0 is the network behind the ipsec peer.
> 
> But if I do this, the machine would also accept unencrypted packages
> from the Internet (except for the fact that packets to RFC1918-Adresses 
> are not
> routed, but assume that the LAN has official addresses).
> 
> I can't even distinguish them by the interface, because from an
> iptables point of view, the packages are incoming on the external 
> interface,
> as if they were coming unencrypted.
> 
> How do I treat packets from IPSec and unencrypted plain packets from the
> Internet differently with iptables?

the packets pass through the netfilter tables twice--once encrypted, and
once unencrypted.  the 'common' way to filter IPSec traffic with the 2.6
kernel is to mark the IPSec packets:

  # mark ipsec packets from vpn peer 1
  iptables -t mangle -A PREROUTING -p 50 -s $vpn_peer1 \
    -j MARK --set-mark 1

  # accept IKE & ESP packets from vpn peer 1
  iptables -A INPUT -i $extif -p udp -s $vpn_peer1 \
    --sport 500 --dport 500 -j ACCEPT
  iptables -A INPUT -i $extif -p 50 -s $vpn_peer1 -j ACCEPT

  # accept packets from the remote vpn net that have the mark
  iptables -A FORWARD -s $vpn_peer_net1 -m mark --mark 1 -j ACCEPT

-j

--
"That's it! You people have stood in my way long enough. I'm going
to clown college!"
	--The Simpsons